The question "how much is enough" in regard to security spending has been explored by many researchers. Industry seems to have answered the question simply as "spend just enough to pass the next regulatory examination." Regulatory security standards are intended to provide a generalized baseline for information protection and organizations are failing to recognize their own security requirements do not directly map to any single standard or set of standards. In fact, the very elements within an organization that do not overlap with a standard may present the most challenging risks. Unfortunately, it appears many institutions have settled on the misguided notion that compliance and security are essentially synonymous and as a result have significant unmitigated risks. Simply stated, the checklist security audit approach is easy to understand and budget for, but the result is inadequate security. The Heartland Payment Systems breach demonstrated how an emphasis on compliance may not be reasonable as the company was damaged by a ...

Rapid7's acquisition of the Metasploit Project takes down one of the few remaining open source security projects. But expect a smooth transition; there have been many success stories and mistakes made to learn from.